#PeerJacking - SSL Ecosystem Attacks Against Online Commerce (update)
I just wanted to put up a short update about my PeerJacking research today. The vulnerability I discovered with SSL certificate validation in online commerce applications in July of last year is still in responsible disclosure with a number of software vendors, and I am awaiting the successful mitigation of the vulnerability before releasing the whitepaper describing the scope and impact of these certificate validation failures.
I've been informed by one of these vendors that there is strikingly similar research to be presented at the ACM CCS 2012 conference. I am confused by this as I have not been contacted by these researchers. The researchers published an abstract that revealed a number of the companies affected by PeerJacking, including several that I am currently working with on mitigation of this critical vulnerability. I've attempted to contact the academics involved, but have not seen any reply yet, though, the abstract in question appears to have been removed from the web for the time being.
PeerJacking (programming failure to verify peer certificates) affects nearly all major programming languages and is depressingly common. It is deployed widely throughout commercial server-to-server API's from hundreds of distinct vendors. It is the breadth of the vulnerability and the sheer number of affected vendors that makes responsible disclosure of this vulnerability so complicated and why 13 months later I am still largely limited in what I can say publicly about this issue.
As before, please contact the Canadian Cyber Incident Response Centre for advice. They are the agency handling the responsible disclosure, notification and mitigation of this vulnerability affecting critical infrastructure.
See also (previous posts on this topic):
PeerJacking - SSL Ecosystem Attacks Against Online Commerce
Credit Card System Update (IN11-003)
Credit Card System Vulnerability
Update on Credit Card System Vulnerability.